OVERVIEW

Infection Channel:

Spammed via email, Downloaded from the Internet

Malware belonging to the SASFIS family are known to be downloaded on systems while visiting sites that have been compromised using a particular exploit pack known as "Eleonore". SASFIS variants are also being sent via spammed messages such as the spoofed messages that purported to come from Facebook and iTunes Store. The said email messages have a .ZIP file attachment that contained TROJ_SASFIS.HN.

It is also known to be associated with FAKEAV variants that are downloaded onto systems when visiting pornographic sites. Though viewed as a simple downloader, SASFIS opens affected systems to botnet attacks, particularly ZeuS and BREDOLAB.

SASFIS have been spotted as early as 2009. Affected systems that may play part in botnet operations, are susceptible to data theft, and are difficult to clean up.

Cybercriminals behind the SASFIS malware use pay-per-install (PPI) and pay-per-access (PPA) business models to earn money.

PPI business model: Cybercriminals behind other malware families like ZeuS and BREDOLAB pay SASFIS creators for other malware to be downloaded and installed on systems that have been infected with SASFIS.

PPA business model: SASFIS creators list a number of adult websites in the code of the components downloaded by SASFIS variants. When a SASFIS-infected system accesses any of these websites, it redirects to any of the listed adult websites.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Downloads files

Installation

This Trojan drops the following files:

%User Profile%\Local Settings\{random file name}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)